Wandering Thoughts archives

2017-07-08

I wish you could easily update the packages on Ubuntu ISO images

Our system for installing Ubuntu machines starts from a somewhat customized Ubuntu ISO image (generally burned onto a DVD, although I want to experiment with making it work on a USB stick) and proceeds through some post-install customization scripts. One of the things that these scripts do is apply all of the accumulated Ubuntu updates to the system. In the beginning, when an Ubuntu LTS release is fresh and bright and new, this update process doesn't need to do much and goes quite fast. As time goes by, this changes. With 16.04 about a year old by now, applying updates requires a significant amount of time on real hardware (especially on servers without SSDs).

Ubuntu does create periodic point updates for their releases, with updated ISO images; for 16.04, the most recent is 16.04.2, created in mid-February. But there's still a decent number of updates that have accumulated since then. What I wish for is a straightforward way for third parties (such as us) to create an ISO image that included all of the latest updates, and to do so any time they felt like it. If we could do this, we'd probably respin our install images on a regular basis, which would be good for other reasons as well (for example, getting regular practice with the build procedure, which is currently something we only do once every two years as a new LTS release comes out).

There is an Ubuntu wiki page on Install CD customization, with a section on adding extra packages, but the procedure is daunting and it's not clear if it's what you do if you're updating packages instead of adding new ones. Plus, there's no mention of a tool that will figure out and perhaps fetch all of the current updates for the set of packages on the ISO image (I suspect that such a tool exists, since it's so obvious a need). As a practical matter it's not worth our time to fight our way through the resulting collection of issues and work, since all we'd be doing is somewhat speeding up our installs (and we don't do that many installs).

Sidebar: Why this is an extra pain with Ubuntu (and Debian)

The short version is that it is because how Debian and thus Ubuntu have chosen to implement package security. In the RPM world, what gets signed is the individual package and any collection of these packages is implicitly trusted. In the Debian and Ubuntu world, what generally gets signed is the repository metadata that describes a pool of packages. Since the metadata contains the cryptographic checksums of all of the packages, the packages are implicitly protected by the metadata's signature (see, for example, Debian's page on secure apt).

There are some good reasons to want signed repository metadata (also), but in practice it creates a real pain point for including extra packages or updating the packages. In the RPM world, any arbitrary collection of signed packages is perfectly good, so you can arbitrarily update an ISO image with new official packages (which will all be signed), or include extra ones. But in the Debian and Ubuntu world, changing the set of packages means that you need new signed metadata, and that means that you need a new key to sign it with (and then you need to get the system to accept your key).

UbuntuISOPackageUpdate written at 00:07:16; Add Comment

By day for July 2017: 8 9 10 14 16 31; before July; after July.

Page tools: See As Normal.
Search:
Login: Password:
Atom Syndication: Recent Pages, Recent Comments.

This dinky wiki is brought to you by the Insane Hackers Guild, Python sub-branch.